1 Microsoft Office 365 GxP Guidelines White paper Microsoft Office 365 GxP Guidelines April 2019 Page 2 of 76 DISCLAIMER 2019 Microsoft Corporation. All rights reserved. This document is provided "as-is". Information and views expressed in this document, including URL and other internet website references, may change without notice. In addition, for your convenience, this document references one or more Microsoft agreements and summarizes portions of such agreements. You should refer to the actual text in the most current version of the Microsoft agreements for the exact legal commitments. This document does not constitute legal advice; you should consult your own counsel for legal guidance on your specific scenarios.
2 This document does not provide you with any legal rights to any intellectual property in any Microsoft product. You may copy and use this document for your internal, reference purposes. You bear the risk of using it. Microsoft Office 365 GxP Guidelines April 2019 Page 3 of 76 Foreword Cloud computing is an essential part of every organization s IT strategy. Life sciences and pharmaceutical companies are no exceptions. Across the board, innovative partners and customers in the life sciences industry have embraced Microsoft Office 365 as a critical engine for digital transformation one that can shorten the time to market, and that has the potential to drive whole new categories of products and services.
3 Each year Microsoft invests billions of dollars in designing, building, and operating innovative cloud services. But trust is not a product it s a value that we must earn every day, every month, and every year. Microsoft cloud services are built around key tenets of security, privacy, transparency, and compliance, and we invest more each year to increase the confidence of our life sciences customers in Microsoft cloud services. With millions of systems in hundreds of facilities around the planet, Microsoft has a deep understanding of standardized policies and procedures, and how to ensure predictable outcomes and manage risk at extreme scale. Microsoft enterprise cloud services undergo regular independent third-party SOC 1 Type 2 and SOC 2 Type 2 audits and are certified according to ISO/IEC 27001 and ISO/IEC 27018 standards.
4 Although these regular audits and certifications do not specifically focus on FDA regulatory compliance, their purpose and objectives are similar in nature to those of CFR Title 21 Part 11, and serve to help ensure the confidentiality, integrity, and availability of data stored in Microsoft cloud services. In addition, Guidelines for Microsoft Azure and Microsoft Office 365 provide a detailed explanation of how Microsoft audit controls correspond to the requirements of CFR Title 21 Part 11, guidance for implementing an FDA qualification strategy, and a description of areas of shared responsibility. We continue to make it easier for life sciences organizations to use Microsoft cloud services in their application portfolios, and this GxP guidance document is a key step toward that goal.
5 Although the ultimate responsibility for validating GxP applications remains with our customers and partners, no matter where those applications are hosted, this guide should help demonstrate that you can develop and operate GxP applications on Microsoft Office 365 with confidence and remain compliant while using Microsoft cloud services. On a related note, we think the policies and procedures outlined here are also helpful to organizations looking to achieve more with general change management. We re proud of our pace of innovation. Helping our customers also means helping you learn to adapt and adopt to our updates and enhancements. We look forward to working with you to help you achieve your digital transformation initiatives using Microsoft Office 365.
6 Microsoft Office 365 GxP Guidelines April 2019 Page 4 of 76 Chris McNulty Sr. Product Manager, Microsoft 365 Microsoft Corporation April 2019 Microsoft Office 365 GxP Guidelines April 2019 Page 5 of 76 Executive summary This GxP guidance document embodies the continued focus and commitment of Microsoft to supporting the life sciences industry as it seeks to benefit from the full potential of cloud-based solutions. By leveraging Office 365 controls to help manage regulated GxP content, life science customers can configure the necessary protocols to help ensure the integrity and security of their data. The purpose of this document is to demonstrate that as a cloud solution provider, Microsoft has the necessary technical and procedural controls to maintain the Office 365 platform in a state of control by preserving the confidentiality, integrity and availability of our customers data.
7 This document identifies the shared responsibilities between Microsoft and our life sciences customers for meeting regulatory requirements, such as FDA 21 CFR Part 11 Electronic Records, Electronic Signatures (21 CFR Part 11), and EudraLex Volume 4 Annex 11 Computerised Systems (Annex 11). While considering the use of cloud technology to host GxP content, it is important for life sciences organizations to assess the adequacy of the cloud service provider s processes and controls that help to assure the confidentiality, integrity, and availability of data that is stored in the cloud. When stored in Microsoft Office 365, customer data benefits from multiple layers of security and governance technologies, operational practices, and compliance policies to enforce data privacy and integrity at specific levels.
8 This guidance document highlights the extensive controls implemented as part of Office 365 s internal development of security and quality practices, which help to ensure that the Office 365 platform meets its specifications and is maintained in a state of control. Office 365 procedural and technical controls are regularly audited and verified for effectiveness by independent third-party assessors. Of equal importance are those processes and controls that must be implemented by Microsoft life sciences customers to ensure integrity of GxP content. This guidance document includes recommendations based on proven practices of existing life sciences customers as well as industry standards for validation of GxP applications.
9 By establishing a well-defined cloud strategy and robust governance model, customers can ensure the following: Risks associated with hosting GxP content in the cloud are identified and mitigated. Internal quality and information technology procedures are adapted for using cloud-based applications and customer personnel are appropriately trained. Due diligence and assessment of the cloud service provider is performed. Systems are designed to preserve system resiliency, performance, data security, and confidentiality. Data integrity and compliance with regulatory requirements is verified. By working together and focusing on their respective areas of expertise, Microsoft and its life sciences customers can help usher in a new era in which cloud-based GxP systems are no longer seen as a compliance risk, but rather as a safer, more efficient model for driving innovation and maintaining regulatory compliance.
10 Microsoft Office 365 GxP Guidelines April 2019 Page 6 of 76 Authors The production of this GxP guidance document was driven by the Microsoft Office 365 product team and was developed in collaboration with several functional team members whose responsibilities include compliance, engineering, legal, life sciences, technology, strategy, and account management. We collaborated with our longstanding life sciences industry partner, Montrium, to review internal Microsoft Office 365 quality and development practices and to provide expert guidance concerning industry best practices for cloud compliance and GxP computerized systems validation. Montrium is a highly regarded knowledge-based company that uses its deep understanding of GxP processes and technologies to help life sciences organizations improve processes and drive innovation while maintaining compliance with GxP regulations.